SlideShare una empresa de Scribd logo

Word camp orange county 2012 enduser security

Descargar como PPTX, PDF
Tony Perez
Tony Perez
Tecnología
1 de 63
WordPres s Security Knowledge is Power
Who Am I Hi, my name is Tony Perez | @perezbox Marine Corps – War Vet Sucuri Security Objectivity and rationalism Gun carrying, Harley riding, Martial Artist . Web-malware is my life @sucuri_security @perezbox #wcoc 2 6/2/2012
What are we going to talk about? Web Security Look at some statistics… Provide an understanding of web malware Understand the threat scape a bit… Look at some of the recent trends… Give some hardening tips Get into the recommendations… @sucuri_security @perezbox #wcoc 3 6/2/2012
Thinking about Web Security Web Security Access Containment Knowledge @sucuri_security @perezbox #wcoc 4 6/2/2012
The Stats
Web Numbers > 700 Million websites – As of May 2012– Netcraft 300 Million – Number of websites in 2011 – Pingdom 10.82 Billion – Number of indexed pages – WorldWebSize 2.1 Billion – Number of internet users worldwide Pingdom Projected that: 1 Billion – 2013 2 Billion - 2015 @sucuri_security @perezbox #wcoc 6 6/2/2012
WordPress Numbers 73 Million + – Number of WP powered sites 16% - Of all Websites run WordPress 22 – Out of every 100 new domains in the U.S. 54% - CMS marketshare 62% - Market share of top 1,000,000 Sites 53% - Market share of top 100,000 sites 55% - Market share of top 10,000 sites Projection 300 – 500 Million - 2015 @sucuri_security @perezbox #wcoc 7 6/2/2012
Web Malware Numbers 403 Million – Unique variants of malware 2011 140% Growth – 2010 – 2011 in unique variants 55,294 – Malicious web domains in 2011 130% Growth – 2010 – 2011 in malicious domains 81% - Increase malicious web-based attacks between 2010 / 2011 42 Billion – Global SPAM per day 2011 (Source: Symantec Internet Security Threat Report, Vol 17) @sucuri_security @perezbox #wcoc 8 6/2/2012
Gah… NO MORE NUMBERS The web is growing at an unprecedented pace. WordPress growth – astronomical and gaining Web-based malware is not far behind To have a virtual presence you must consider the security of your website @sucuri_security @perezbox #wcoc 9 6/2/2012
Web Security
Thinking about Web Security Web Security Access Containment Knowledge Minimize Control Authentication Reduce Threat Have a Plan Be prepared Impact @sucuri_security @perezbox #wcoc 11 6/2/2012
Web-based Malware Malware – Short for malicious software. This software is designed to disrupt operation of an information system (i.e., local machine, server, mobile device, etc…) In 2011, malnets (malware networks) emerged as the next evolution in the threat landscape. These infrastructures last beyond any one attack. - BlueCoat 2012 Web Security Report @sucuri_security @perezbox #wcoc 12 6/2/2012
Types of Malware Obfuscated JavaScript Stupid, Pointless, Annoyi ng Messages (SPAM) Hidden & Malicious iFrames Defacement Embedded Trojans Anomalies Phishing Attempts IP Cloaking Malicious Redirects Drive by Downloads Backdoors (e.g., C99, R57, Webshe lls) @sucuri_security @perezbox #wcoc 13 6/2/2012
Attack Vectors User Issues Out-of-Date Software Social Engineering Compromised Credentials Software Issues SQL Injection Cross-Site Scripting (XSS) Cross-Site Request Forgery (XSRF) Remote Execution @sucuri_security @perezbox #wcoc 14 6/2/2012
Most Common Distributions Social Engineering Trick you into installing malware Compromising credentials Websites, Email, Twitter Drive-by-Downloads Install malware after exploiting a vulnerability – big issue for us in the WP community iFrame (52.6%) and JS injections (26.5%) Malicious redirects Redirect user to another site often distributing malware @sucuri_security @perezbox #wcoc 15 6/2/2012
Threat Landscape End User Local Application Environment Web Server Administration Network Threat Environmental Landscape @sucuri_security @perezbox #wcoc 16 6/2/2012
The Attacker Types Culture Has code of ethics, heroes and White-Hat villains and competing gangs Ethical / Grey Hat Knowledge is power Most Believe information and Script Kiddie computer access should be freely shared Hacktivist Major motivation among hackers is status Cracker / Black Hat Financial gain is a strong motivation with crackers – Robin Hood mindset – ok to steal @sucuri_security @perezbox #wcoc 17 6/2/2012
But I only write about lazy lizards!!!! • Opportunistic Attacks • Road of least resistance • Political Agenda / Further Cause • Mass Exposure • In short – it doesn‟t matter what you write about, you have a virtual presence @sucuri_security @perezbox #wcoc 18 6/2/2012
Is WordPress insecure? Out of the box, core is well built and secure It‟s no longer the days of 1.5 Security team is in place to quickly address and patch issues Extensibility – both its strength and weakness With popularity comes a target… think Windows for local environments Easy target because of its exposure, attackers focusing on the platform Road of least resistance @sucuri_security @perezbox #wcoc 19 6/2/2012
Recent Vulnerabilities and Infections Vulnerabilities Campaigns PHP-CGI Vulnerability - Recovery-hdd.eu Malware Campaign Patched Nikjju Mass Injection WooThemes Campaign Vulnerability – Patched GetMama Conditional Malware Campaign TimThumb Vulnerability – Patched .RR.NU Malware Campagin Sweepstake Malware Campaign @sucuri_security @perezbox #wcoc 20 6/2/2012
Top reasons why we see these infections Poor credential Management Poor System Administration Soup Kitchen Servers Out of Date Software Lack of Web knowledge Use of self-proclaimed “experts” Cutting Corners @sucuri_security @perezbox #wcoc 21 6/2/2012
So what can you do? Glad you asked
Reduce Threat Risk Update Credentials Communicate Securely Themes / Plugins Harden Your Install Don‟t forget your local environment Knowledge - Resources @sucuri_security @perezbox #wcoc 23 6/2/2012
Update, Update, Update Leading cause of infections If your theme is so coupled with core it can‟t be updated, consider purchasing a new one PHP, Core, Themes, Plu gins, JavaScript… @sucuri_security @perezbox #wcoc 24 6/2/2012
Credentials (user / password) Basics Take-Aways Avoid using „Admin‟ & Complex Unique password „Administrator‟ Upper / Lower Symbols Numbers Use Strong Passwords Longer than 18 characters Online Generator: http://www.onlinepasswordgen Passphrases erator.com/password.php Use one time – Password manager Use Password Manager LastPass – Free – Online / In short: Mobile Access No Dates No Names https://lastpass.com/ No Pets 1Password No Places https://agilebits.com/onepass A = @, E = 3, S= $, O = 0 word They know this @sucuri_security @perezbox #wcoc 25 6/2/2012
Data Dictionary / Defacement @sucuri_security @perezbox #wcoc 26 6/2/2012
Communicate Securely Communication mechanisms File Transfer Protocol (FTP) Secret File Transfer Protocol (SFTP) Secure Shell (SSH) Tools Filezilla Coda NCFTP SFTP / SSH - Best Approach Google: How to create SFTP account on [Host Name] Google: How to enable SSH on [Host Name] @sucuri_security @perezbox #wcoc 27 6/2/2012
Safe Themes / Plugins WordPress Repository is a good place to start 19.6k+ - Available Plugins 1.5k+ - Available Themes Look for good descriptions of the theme or plugin Look to see versions and updates Active change log is always good Theme-check & Plugin-check are good tools to check potential issues Free Theme? http://wpmu.org/why-you-should-never-search-for-free- wordpress-themes-in-google-or-anywhere-else/ @sucuri_security @perezbox #wcoc 28 6/2/2012
Plugins To Avoid WPStats.org SPAM – Fake Advanced Search Plugin SEO poisoning – Bad http://blog.sucuri.net/2012/05/wpstats-org-spam-and-a-fake-advanced-search- plugin.html Dean FCKEditor with PWWANGS Code for WordPress (version 1.0.0) Upload / Server control - Very Bad http://blog.sucuri.net/2012/03/wordpress-third-party-vulnerability-deans-fckeditor-with- pwwangs-code-for-wordpress-version-1-0-0.html Absolute Privacy Plugin Known vulnerability http://blog.sucuri.net/2012/02/vulnerability-in-the-absolute-privacy-plugin.html ToolsPack Plugin Dangerous backdoor – full access - Very Bad http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html @sucuri_security @perezbox #wcoc 29 6/2/2012
What websites are dangerous? @sucuri_security @perezbox #wcoc 30 6/2/2012
Hardening Getting er done!
HTACCESS is your Friend Configuration file for web servers using Apache Features: Error Documents Redirects Password Protection Deny visitors by IP Hot link prevention Access prevention More? Apply these changes at your own peril – run risk of blowing up site @sucuri_security @perezbox #wcoc 32 6/2/2012
Protect HTACCESS Permission <= 640 #PROTECT HTACCESS <Files HTACCESS> Order Allow, Deny Deny from all </Files> @sucuri_security @perezbox #wcoc 33 6/2/2012
Protect WP-Config .htaccess Permissions <= 640 #PROTECT WP-CONFIG <Files wp-config.php> Order Allow, Deny Deny from all </Files> @sucuri_security @perezbox #wcoc 34 6/2/2012
Authentication Keys wp-config.php Encrypts information stored in user‟s cookies https://api.wordpress.org/secret-key/1.1/salt/ Resource: http://codex.wordpress.org/Editing_wp-config.php @sucuri_security @perezbox #wcoc 35 6/2/2012
Database Prefix Default is “wp_” wp-config.php @sucuri_security @perezbox #wcoc 36 6/2/2012
Admin User Created by “default” < = 3.0 In higher version you can define your own administrator Create new user, apply “administrator” role Be mindful of any posts created by “admin” user Delete “admin” user @sucuri_security @perezbox #wcoc 37 6/2/2012
Disable Directory Listing Nobody show know the color of your skivvies Default in most hosts, not always # PREVENT DIRECTORY LISTINGS Options -Indexes @sucuri_security @perezbox #wcoc 38 6/2/2012
Disable Plugin / Theme Editor wp-config.php file Remove the ability modify your files via your wp-admin panel – force to use SFTP / SSH and your local IDE # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true); @sucuri_security @perezbox #wcoc 39 6/2/2012
Permissions Directories 755 Files Directories: 644 find [path to install] -type d -exec chmod 755 {} ; Important Files .htaccess = 644 Files: Find [path to install] -type f -exec chmod 644 {} ; wp-config.php = 600 php.ini = 600 php.cgi = 711 php5.cgi = 100 Reading: http://codex.wordpress.org/Changing_File_Permissions @sucuri_security @perezbox #wcoc 40 6/2/2012
Protect WP-Admin If you have a dynamic IP this might be problematic Consider HTTPS (Heavy / Complicated) or Basic Authentication (Effective / Simple) # SECURE Access to WP-ADMIN <FilesMatch ".*"> Order Deny,Allow Deny from all Allow from [IP Address] </FilesMatch> @sucuri_security @perezbox #wcoc 41 6/2/2012
Harden WP-Includes Create .htaccess in wp-includes directory #PROTECT WP-INCLUDES <FilesMatch “.php”> Order Allow, Deny Deny from all Deny</Files> @sucuri_security @perezbox #wcoc 42 6/2/2012
Harden WP-Content Create .htaccess in wp-content directory Most vulnerable, contains Uploads directory, often the attack vector It can be moved, but if you‟re an end-user don‟t touch – hire a pro – lots of dependencies #PROTECT WP-CONTENT <FilesMatch “.php”> Order Allow, Deny Deny from all Deny</Files> @sucuri_security @perezbox #wcoc 43 6/2/2012
Limit Upload Most shells < 1 mb Good idea anyway - //limit file upload to 10mb LimitRequestBody 10240000 @sucuri_security @perezbox #wcoc 44 6/2/2012
Protect Against Bots Malnets are a growing problem, proactively protect against them using a Web Application Firewall Perishable Press – 5G Blacklist 2012 http://perishablepress.com /5g-blacklist-2012/ @sucuri_security @perezbox #wcoc 45 6/2/2012
5G WordPress Add-On Don‟t want to add all that other stuff? No problem, try this condensed version for WordPress Doesn‟t require the 5G Blacklist and helps protect against bad URL request – i.e., helps take the load off your server from these very annoying requests Source: http://perishablepress.com/wordpress-5g-blacklist/ Careful – wp-signup required for MultiSite @sucuri_security @perezbox #wcoc 46 6/2/2012
Secure Login Page There are a number of plugins you can use for this, or, you can turn to your .htaccess again Might be an issue if its not static.. <Files wp-login.php> Order Deny,Allow Deny from All Allow from [Your IP] </Files> @sucuri_security @perezbox #wcoc 47 6/2/2012
Protect against XSS Deny bad query Strings – in short, don‟t become a victim to cross-site scripting # QUERY STRING EXPLOITS <IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} ../ [NC,OR] RewriteCond %{QUERY_STRING} boot.ini [NC,OR] RewriteCond %{QUERY_STRING} tag= [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} mosConfig [NC,OR] RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC] RewriteRule ^(.*)$ - [F,L] </IfModule> @sucuri_security @perezbox #wcoc 48 6/2/2012
SPAM Comments SPAM in your comments can get you blacklisted just as fast as injections on your pages Disable comments on pages if you don‟t want them Setting to close comments after a certain amount of time. Settings > Discussion > Other Comment Settings Automatically close comments on articles older than XX days Use AKISMET @sucuri_security @perezbox #wcoc 49 6/2/2012
Cross-Site Contamination Most of the things provided so far help you from external attacks. Internal attacks are as prevalent Growing problem – “Soup Kitchen” servers Development, Staging, Testing, Productions – 1 environment http://blog.sucuri.net/2012/03/a-little-tale-about-website- cross-contamination.html http://blog.sucuri.net/2012/03/website-cross- contamination-blackhat-seo-spam-malware.html @sucuri_security @perezbox #wcoc 50 6/2/2012
Security Plugins Sucuri Clients – Sucuri Security – Free to Clients Web Application Firewall Integrity Monitoring Auditing Hardening More: http://sucuri.net/services/preventive Not a client? No problem, other good options include – Login Lock http://wordpress.org/extend/plugins/login-lock/ WordPress File Monitor http://wordpress.org/extend/plugins/wordpress-file-monitor/ WordPress Firewall 2 http://wordpress.org/extend/plugins/wordpress-firewall-2/ BulletProof Security http://wordpress.org/extend/plugins/bulletproof-security/ @sucuri_security @perezbox #wcoc 51 6/2/2012
Still have a malware problem?
Two Approaches Do it Yourself Hire a Professional Forums are you friend Will cost money Requires time and Alleviates the stress patience Gets you up and running Leverage free tools in hours, if not days Know when you‟re in over your head Can take time – hours, days, weeks, mo nths @sucuri_security @perezbox #wcoc 53 6/2/2012
Support Forums WordPress.org Hacked: http://wordpress.org/tags/hacked Malware: http://wordpress.org/tags/malware BadwareBusters.org https://badwarebusters.org/ @sucuri_security @perezbox #wcoc 54 6/2/2012
Things to Know when Engaging Professionals Know who your host is and how to contact them in the event of an emergency Know how to access your server – FTP, SFTP, SSH, FTPS Have a backup accessible Tips: http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i- know-when-engaging-a-web-malware-company.html @sucuri_security @perezbox #wcoc 55 6/2/2012
Tips & Tricks After all this you might still become infected, and if you do here are a few tips to keep you going: 1. Immediately Change all credentials – wp- admin, database, cpanel 2. Log into your database and check all the users 3. Replace WP manually – avoid the default updater 4. Defacements – look at your index files (watch out for “.html” and “index2.php”) 5. Use live scanner: http://sitecheck.sucuri.net 6. Use terminal to GREP and FIND issues reported 7. Restore site from clean backup 8. Purge your cache 9. Disable plugins, validate each plugin 10. Engage a professional @sucuri_security @perezbox #wcoc 56 6/2/2012
Online Resources
FREE Real Time Virus Scanners Sucuri SiteCheck: http://sitecheck.sucuri.net Unmask Parasites: http://unmaskparasites.com/ @sucuri_security @perezbox #wcoc 58 6/2/2012
Blacklisting Authorities Google Chrome, FireFox Search Engine Results Page (SERP) http://www.google.com/webmaster/tools http://www.google.com/safebrowsing/diagnostic?site=[your site] Bing Internet Explorer http://www.bing.com/toolbox/webmaster/ Norton Facebook http://safeweb.norton.com/ AVG Opera http://www.avgthreatlabs.com/sitereports/ @sucuri_security @perezbox #wcoc 59 6/2/2012
Useful Plugins Know what you‟re using: Theme-Check Authors: Pross, Otto42 http://wordpress.org/extend/plugins/theme-check/ Plugin-Check Author: Pross http://wordpress.org/extend/plugins/plugin-check/ Protect Against Comment SPAM Akismet Authors: Matt, Ryan, Andy, mdawaffe http://wordpress.org/extend/plugins/akismet/ Still offers free service Backups are your friend: Author: iThemes http://pluginbuddy.com/purchase/backupbuddy/ @sucuri_security @perezbox #wcoc 60 6/2/2012
Online Reading http://blog.sucuri.net/2012/04/lockdown-wordpress-a- security-webinar-with-dre-armeda.html http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the- hacker-and-ensure-your-site-is-locked.html http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i- know-when-engaging-a-web-malware-company.html http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/FAQ_My_site_was_hacked http://wpsecure.net/ @sucuri_security @perezbox #wcoc 61 6/2/2012
Online Tools http://www.botsvsbrowsers.com/SimulateUserAgent.asp http://www.tareeinternet.com/scripts/base.html http://www.tareeinternet.com/scripts/decrypt.php @sucuri_security @perezbox #wcoc 62 6/2/2012
Tony Perez Company: Sucuri Security Company site: http://sucuri.net Company blog: http://blog.sucuri.net Personal blog: http://perezbox.com Twitter: http://twitter.com/perezbox Linkedin: http://linkedin.com/in/perezbox Email: tony@sucuri.net @sucuri_security @perezbox #wcoc 63 6/2/2012

Recomendados

Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
The most Common Website Security Threats
The most Common Website Security ThreatsThe most Common Website Security Threats
The most Common Website Security ThreatsHTS Hosting
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
Web App Security: XSS and CSRF
Web App Security: XSS and CSRFWeb App Security: XSS and CSRF
Web App Security: XSS and CSRFDave Ross
 
Xss ppt
Xss pptXss ppt
Xss pptpenetration Tester
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityHTS Hosting
 
Cyber Safety 101
Cyber Safety 101Cyber Safety 101
Cyber Safety 101Jeff Niebaum, M.A
 

Recomendados

Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
The most Common Website Security Threats
The most Common Website Security ThreatsThe most Common Website Security Threats
The most Common Website Security ThreatsHTS Hosting
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
Web App Security: XSS and CSRF
Web App Security: XSS and CSRFWeb App Security: XSS and CSRF
Web App Security: XSS and CSRFDave Ross
 
Xss ppt
Xss pptXss ppt
Xss pptpenetration Tester
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityHTS Hosting
 
Cyber Safety 101
Cyber Safety 101Cyber Safety 101
Cyber Safety 101Jeff Niebaum, M.A
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
Unit6
Unit6Unit6
Unit6Hope Scott
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilitiesn|u - The Open Security Community
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOKBoris Loukanov
 
Staying safe-on-internet
Staying safe-on-internetStaying safe-on-internet
Staying safe-on-internetolususi kayode oluyemi
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry RansomwareZoho Corporation
 
Wannacry
WannacryWannacry
WannacryGunther Clauwaert
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
How to Easily Secure Your WordPress Website
How to Easily Secure Your WordPress WebsiteHow to Easily Secure Your WordPress Website
How to Easily Secure Your WordPress WebsiteHacker Combat
 
Speaker profile
Speaker profileSpeaker profile
Speaker profileKrishna Sai
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Web 2.0 Presentation
Web 2.0 PresentationWeb 2.0 Presentation
Web 2.0 Presentationxia_bofa
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
Web security: concepts and tools used by attackers
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackerstomasperezv
 
Cocoon On Internet Security
Cocoon On Internet SecurityCocoon On Internet Security
Cocoon On Internet SecurityCOCOON
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
Privacy security
Privacy securityPrivacy security
Privacy securityhanjunxian
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attackAbdelhakim Salama
 
Insecure Trends in Web 2.0
Insecure Trends in Web 2.0Insecure Trends in Web 2.0
Insecure Trends in Web 2.0Ferruh Mavituna
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 

Más contenido relacionado

La actualidad más candente

Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOKBoris Loukanov
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
How to Easily Secure Your WordPress Website
How to Easily Secure Your WordPress WebsiteHow to Easily Secure Your WordPress Website
How to Easily Secure Your WordPress WebsiteHacker Combat
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Web 2.0 Presentation
Web 2.0 PresentationWeb 2.0 Presentation
Web 2.0 Presentationxia_bofa
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
Web security: concepts and tools used by attackers
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackerstomasperezv
 
Cocoon On Internet Security
Cocoon On Internet SecurityCocoon On Internet Security
Cocoon On Internet SecurityCOCOON
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
Privacy security
Privacy securityPrivacy security
Privacy securityhanjunxian
 
Insecure Trends in Web 2.0
Insecure Trends in Web 2.0Insecure Trends in Web 2.0
Insecure Trends in Web 2.0Ferruh Mavituna
 

La actualidad más candente (20)

Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
Unit6
Unit6Unit6
Unit6
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
 
Staying safe-on-internet
Staying safe-on-internetStaying safe-on-internet
Staying safe-on-internet
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
 
Wannacry
WannacryWannacry
Wannacry
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System Security
 
How to Easily Secure Your WordPress Website
How to Easily Secure Your WordPress WebsiteHow to Easily Secure Your WordPress Website
How to Easily Secure Your WordPress Website
 
Speaker profile
Speaker profileSpeaker profile
Speaker profile
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
 
Web 2.0 Presentation
Web 2.0 PresentationWeb 2.0 Presentation
Web 2.0 Presentation
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
 
Web security: concepts and tools used by attackers
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackers
 
Cocoon On Internet Security
Cocoon On Internet SecurityCocoon On Internet Security
Cocoon On Internet Security
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good Posture
 
Privacy security
Privacy securityPrivacy security
Privacy security
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
 
Insecure Trends in Web 2.0
Insecure Trends in Web 2.0Insecure Trends in Web 2.0
Insecure Trends in Web 2.0
 

Similar a Word camp orange county 2012 enduser security

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 
Global Technologies and Risks Trends
Global Technologies and Risks TrendsGlobal Technologies and Risks Trends
Global Technologies and Risks TrendsCharles Mok
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Search Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software DiversificationSearch Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software DiversificationFoCAS Initiative
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Ethi mini1 - ethical hacking
Ethi mini1 - ethical hackingEthi mini1 - ethical hacking
Ethi mini1 - ethical hackingBeing Uniq Sonu
 
8 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 20208 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 2020SecPod Technologies
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert TrendSC Leung
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021tsevier
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 

Similar a Word camp orange county 2012 enduser security (20)

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Info sec 12 v1 2
Info sec 12 v1 2Info sec 12 v1 2
Info sec 12 v1 2
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
 
Global Technologies and Risks Trends
Global Technologies and Risks TrendsGlobal Technologies and Risks Trends
Global Technologies and Risks Trends
 
Code protection
Code protectionCode protection
Code protection
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Search Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software DiversificationSearch Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software Diversification
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Malicious malware breaches - eScan
Malicious malware breaches - eScanMalicious malware breaches - eScan
Malicious malware breaches - eScan
 
Ethi mini1 - ethical hacking
Ethi mini1 - ethical hackingEthi mini1 - ethical hacking
Ethi mini1 - ethical hacking
 
8 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 20208 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 2020
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert Trend
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 

Más de Tony Perez

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationTony Perez
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for WebsitesTony Perez
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsTony Perez
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Tony Perez
 
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityTony Perez
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsTony Perez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
Word press website security
Word press website securityWord press website security
Word press website securityTony Perez
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesTony Perez
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionTony Perez
 

Más de Tony Perez (16)

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the Basics
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)
 
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The Basics
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
 
Word press website security
Word press website securityWord press website security
Word press website security
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, Defenses
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
 

Último

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Word camp orange county 2012 enduser security

  • 2. Who Am I Hi, my name is Tony Perez | @perezbox Marine Corps – War Vet Sucuri Security Objectivity and rationalism Gun carrying, Harley riding, Martial Artist . Web-malware is my life @sucuri_security @perezbox #wcoc 2 6/2/2012
  • 3. What are we going to talk about? Web Security Look at some statistics… Provide an understanding of web malware Understand the threat scape a bit… Look at some of the recent trends… Give some hardening tips Get into the recommendations… @sucuri_security @perezbox #wcoc 3 6/2/2012
  • 4. Thinking about Web Security Web Security Access Containment Knowledge @sucuri_security @perezbox #wcoc 4 6/2/2012
  • 6. Web Numbers > 700 Million websites – As of May 2012– Netcraft 300 Million – Number of websites in 2011 – Pingdom 10.82 Billion – Number of indexed pages – WorldWebSize 2.1 Billion – Number of internet users worldwide Pingdom Projected that: 1 Billion – 2013 2 Billion - 2015 @sucuri_security @perezbox #wcoc 6 6/2/2012
  • 7. WordPress Numbers 73 Million + – Number of WP powered sites 16% - Of all Websites run WordPress 22 – Out of every 100 new domains in the U.S. 54% - CMS marketshare 62% - Market share of top 1,000,000 Sites 53% - Market share of top 100,000 sites 55% - Market share of top 10,000 sites Projection 300 – 500 Million - 2015 @sucuri_security @perezbox #wcoc 7 6/2/2012
  • 8. Web Malware Numbers 403 Million – Unique variants of malware 2011 140% Growth – 2010 – 2011 in unique variants 55,294 – Malicious web domains in 2011 130% Growth – 2010 – 2011 in malicious domains 81% - Increase malicious web-based attacks between 2010 / 2011 42 Billion – Global SPAM per day 2011 (Source: Symantec Internet Security Threat Report, Vol 17) @sucuri_security @perezbox #wcoc 8 6/2/2012
  • 9. Gah… NO MORE NUMBERS The web is growing at an unprecedented pace. WordPress growth – astronomical and gaining Web-based malware is not far behind To have a virtual presence you must consider the security of your website @sucuri_security @perezbox #wcoc 9 6/2/2012
  • 11. Thinking about Web Security Web Security Access Containment Knowledge Minimize Control Authentication Reduce Threat Have a Plan Be prepared Impact @sucuri_security @perezbox #wcoc 11 6/2/2012
  • 12. Web-based Malware Malware – Short for malicious software. This software is designed to disrupt operation of an information system (i.e., local machine, server, mobile device, etc…) In 2011, malnets (malware networks) emerged as the next evolution in the threat landscape. These infrastructures last beyond any one attack. - BlueCoat 2012 Web Security Report @sucuri_security @perezbox #wcoc 12 6/2/2012
  • 13. Types of Malware Obfuscated JavaScript Stupid, Pointless, Annoyi ng Messages (SPAM) Hidden & Malicious iFrames Defacement Embedded Trojans Anomalies Phishing Attempts IP Cloaking Malicious Redirects Drive by Downloads Backdoors (e.g., C99, R57, Webshe lls) @sucuri_security @perezbox #wcoc 13 6/2/2012
  • 14. Attack Vectors User Issues Out-of-Date Software Social Engineering Compromised Credentials Software Issues SQL Injection Cross-Site Scripting (XSS) Cross-Site Request Forgery (XSRF) Remote Execution @sucuri_security @perezbox #wcoc 14 6/2/2012
  • 15. Most Common Distributions Social Engineering Trick you into installing malware Compromising credentials Websites, Email, Twitter Drive-by-Downloads Install malware after exploiting a vulnerability – big issue for us in the WP community iFrame (52.6%) and JS injections (26.5%) Malicious redirects Redirect user to another site often distributing malware @sucuri_security @perezbox #wcoc 15 6/2/2012
  • 16. Threat Landscape End User Local Application Environment Web Server Administration Network Threat Environmental Landscape @sucuri_security @perezbox #wcoc 16 6/2/2012
  • 17. The Attacker Types Culture Has code of ethics, heroes and White-Hat villains and competing gangs Ethical / Grey Hat Knowledge is power Most Believe information and Script Kiddie computer access should be freely shared Hacktivist Major motivation among hackers is status Cracker / Black Hat Financial gain is a strong motivation with crackers – Robin Hood mindset – ok to steal @sucuri_security @perezbox #wcoc 17 6/2/2012
  • 18. But I only write about lazy lizards!!!! • Opportunistic Attacks • Road of least resistance • Political Agenda / Further Cause • Mass Exposure • In short – it doesn‟t matter what you write about, you have a virtual presence @sucuri_security @perezbox #wcoc 18 6/2/2012
  • 19. Is WordPress insecure? Out of the box, core is well built and secure It‟s no longer the days of 1.5 Security team is in place to quickly address and patch issues Extensibility – both its strength and weakness With popularity comes a target… think Windows for local environments Easy target because of its exposure, attackers focusing on the platform Road of least resistance @sucuri_security @perezbox #wcoc 19 6/2/2012
  • 20. Recent Vulnerabilities and Infections Vulnerabilities Campaigns PHP-CGI Vulnerability - Recovery-hdd.eu Malware Campaign Patched Nikjju Mass Injection WooThemes Campaign Vulnerability – Patched GetMama Conditional Malware Campaign TimThumb Vulnerability – Patched .RR.NU Malware Campagin Sweepstake Malware Campaign @sucuri_security @perezbox #wcoc 20 6/2/2012
  • 21. Top reasons why we see these infections Poor credential Management Poor System Administration Soup Kitchen Servers Out of Date Software Lack of Web knowledge Use of self-proclaimed “experts” Cutting Corners @sucuri_security @perezbox #wcoc 21 6/2/2012
  • 22. So what can you do? Glad you asked
  • 23. Reduce Threat Risk Update Credentials Communicate Securely Themes / Plugins Harden Your Install Don‟t forget your local environment Knowledge - Resources @sucuri_security @perezbox #wcoc 23 6/2/2012
  • 24. Update, Update, Update Leading cause of infections If your theme is so coupled with core it can‟t be updated, consider purchasing a new one PHP, Core, Themes, Plu gins, JavaScript… @sucuri_security @perezbox #wcoc 24 6/2/2012
  • 25. Credentials (user / password) Basics Take-Aways Avoid using „Admin‟ & Complex Unique password „Administrator‟ Upper / Lower Symbols Numbers Use Strong Passwords Longer than 18 characters Online Generator: http://www.onlinepasswordgen Passphrases erator.com/password.php Use one time – Password manager Use Password Manager LastPass – Free – Online / In short: Mobile Access No Dates No Names https://lastpass.com/ No Pets 1Password No Places https://agilebits.com/onepass A = @, E = 3, S= $, O = 0 word They know this @sucuri_security @perezbox #wcoc 25 6/2/2012
  • 26. Data Dictionary / Defacement @sucuri_security @perezbox #wcoc 26 6/2/2012
  • 27. Communicate Securely Communication mechanisms File Transfer Protocol (FTP) Secret File Transfer Protocol (SFTP) Secure Shell (SSH) Tools Filezilla Coda NCFTP SFTP / SSH - Best Approach Google: How to create SFTP account on [Host Name] Google: How to enable SSH on [Host Name] @sucuri_security @perezbox #wcoc 27 6/2/2012
  • 28. Safe Themes / Plugins WordPress Repository is a good place to start 19.6k+ - Available Plugins 1.5k+ - Available Themes Look for good descriptions of the theme or plugin Look to see versions and updates Active change log is always good Theme-check & Plugin-check are good tools to check potential issues Free Theme? http://wpmu.org/why-you-should-never-search-for-free- wordpress-themes-in-google-or-anywhere-else/ @sucuri_security @perezbox #wcoc 28 6/2/2012
  • 29. Plugins To Avoid WPStats.org SPAM – Fake Advanced Search Plugin SEO poisoning – Bad http://blog.sucuri.net/2012/05/wpstats-org-spam-and-a-fake-advanced-search- plugin.html Dean FCKEditor with PWWANGS Code for WordPress (version 1.0.0) Upload / Server control - Very Bad http://blog.sucuri.net/2012/03/wordpress-third-party-vulnerability-deans-fckeditor-with- pwwangs-code-for-wordpress-version-1-0-0.html Absolute Privacy Plugin Known vulnerability http://blog.sucuri.net/2012/02/vulnerability-in-the-absolute-privacy-plugin.html ToolsPack Plugin Dangerous backdoor – full access - Very Bad http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html @sucuri_security @perezbox #wcoc 29 6/2/2012
  • 32. HTACCESS is your Friend Configuration file for web servers using Apache Features: Error Documents Redirects Password Protection Deny visitors by IP Hot link prevention Access prevention More? Apply these changes at your own peril – run risk of blowing up site @sucuri_security @perezbox #wcoc 32 6/2/2012
  • 33. Protect HTACCESS Permission <= 640 #PROTECT HTACCESS <Files HTACCESS> Order Allow, Deny Deny from all </Files> @sucuri_security @perezbox #wcoc 33 6/2/2012
  • 34. Protect WP-Config .htaccess Permissions <= 640 #PROTECT WP-CONFIG <Files wp-config.php> Order Allow, Deny Deny from all </Files> @sucuri_security @perezbox #wcoc 34 6/2/2012
  • 35. Authentication Keys wp-config.php Encrypts information stored in user‟s cookies https://api.wordpress.org/secret-key/1.1/salt/ Resource: http://codex.wordpress.org/Editing_wp-config.php @sucuri_security @perezbox #wcoc 35 6/2/2012
  • 36. Database Prefix Default is “wp_” wp-config.php @sucuri_security @perezbox #wcoc 36 6/2/2012
  • 37. Admin User Created by “default” < = 3.0 In higher version you can define your own administrator Create new user, apply “administrator” role Be mindful of any posts created by “admin” user Delete “admin” user @sucuri_security @perezbox #wcoc 37 6/2/2012
  • 38. Disable Directory Listing Nobody show know the color of your skivvies Default in most hosts, not always # PREVENT DIRECTORY LISTINGS Options -Indexes @sucuri_security @perezbox #wcoc 38 6/2/2012
  • 39. Disable Plugin / Theme Editor wp-config.php file Remove the ability modify your files via your wp-admin panel – force to use SFTP / SSH and your local IDE # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true); @sucuri_security @perezbox #wcoc 39 6/2/2012
  • 40. Permissions Directories 755 Files Directories: 644 find [path to install] -type d -exec chmod 755 {} ; Important Files .htaccess = 644 Files: Find [path to install] -type f -exec chmod 644 {} ; wp-config.php = 600 php.ini = 600 php.cgi = 711 php5.cgi = 100 Reading: http://codex.wordpress.org/Changing_File_Permissions @sucuri_security @perezbox #wcoc 40 6/2/2012
  • 41. Protect WP-Admin If you have a dynamic IP this might be problematic Consider HTTPS (Heavy / Complicated) or Basic Authentication (Effective / Simple) # SECURE Access to WP-ADMIN <FilesMatch ".*"> Order Deny,Allow Deny from all Allow from [IP Address] </FilesMatch> @sucuri_security @perezbox #wcoc 41 6/2/2012
  • 42. Harden WP-Includes Create .htaccess in wp-includes directory #PROTECT WP-INCLUDES <FilesMatch “.php”> Order Allow, Deny Deny from all Deny</Files> @sucuri_security @perezbox #wcoc 42 6/2/2012
  • 43. Harden WP-Content Create .htaccess in wp-content directory Most vulnerable, contains Uploads directory, often the attack vector It can be moved, but if you‟re an end-user don‟t touch – hire a pro – lots of dependencies #PROTECT WP-CONTENT <FilesMatch “.php”> Order Allow, Deny Deny from all Deny</Files> @sucuri_security @perezbox #wcoc 43 6/2/2012
  • 44. Limit Upload Most shells < 1 mb Good idea anyway - //limit file upload to 10mb LimitRequestBody 10240000 @sucuri_security @perezbox #wcoc 44 6/2/2012
  • 45. Protect Against Bots Malnets are a growing problem, proactively protect against them using a Web Application Firewall Perishable Press – 5G Blacklist 2012 http://perishablepress.com /5g-blacklist-2012/ @sucuri_security @perezbox #wcoc 45 6/2/2012
  • 46. 5G WordPress Add-On Don‟t want to add all that other stuff? No problem, try this condensed version for WordPress Doesn‟t require the 5G Blacklist and helps protect against bad URL request – i.e., helps take the load off your server from these very annoying requests Source: http://perishablepress.com/wordpress-5g-blacklist/ Careful – wp-signup required for MultiSite @sucuri_security @perezbox #wcoc 46 6/2/2012
  • 47. Secure Login Page There are a number of plugins you can use for this, or, you can turn to your .htaccess again Might be an issue if its not static.. <Files wp-login.php> Order Deny,Allow Deny from All Allow from [Your IP] </Files> @sucuri_security @perezbox #wcoc 47 6/2/2012
  • 48. Protect against XSS Deny bad query Strings – in short, don‟t become a victim to cross-site scripting # QUERY STRING EXPLOITS <IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} ../ [NC,OR] RewriteCond %{QUERY_STRING} boot.ini [NC,OR] RewriteCond %{QUERY_STRING} tag= [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} mosConfig [NC,OR] RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC] RewriteRule ^(.*)$ - [F,L] </IfModule> @sucuri_security @perezbox #wcoc 48 6/2/2012
  • 49. SPAM Comments SPAM in your comments can get you blacklisted just as fast as injections on your pages Disable comments on pages if you don‟t want them Setting to close comments after a certain amount of time. Settings > Discussion > Other Comment Settings Automatically close comments on articles older than XX days Use AKISMET @sucuri_security @perezbox #wcoc 49 6/2/2012
  • 50. Cross-Site Contamination Most of the things provided so far help you from external attacks. Internal attacks are as prevalent Growing problem – “Soup Kitchen” servers Development, Staging, Testing, Productions – 1 environment http://blog.sucuri.net/2012/03/a-little-tale-about-website- cross-contamination.html http://blog.sucuri.net/2012/03/website-cross- contamination-blackhat-seo-spam-malware.html @sucuri_security @perezbox #wcoc 50 6/2/2012
  • 51. Security Plugins Sucuri Clients – Sucuri Security – Free to Clients Web Application Firewall Integrity Monitoring Auditing Hardening More: http://sucuri.net/services/preventive Not a client? No problem, other good options include – Login Lock http://wordpress.org/extend/plugins/login-lock/ WordPress File Monitor http://wordpress.org/extend/plugins/wordpress-file-monitor/ WordPress Firewall 2 http://wordpress.org/extend/plugins/wordpress-firewall-2/ BulletProof Security http://wordpress.org/extend/plugins/bulletproof-security/ @sucuri_security @perezbox #wcoc 51 6/2/2012
  • 52. Still have a malware problem?
  • 53. Two Approaches Do it Yourself Hire a Professional Forums are you friend Will cost money Requires time and Alleviates the stress patience Gets you up and running Leverage free tools in hours, if not days Know when you‟re in over your head Can take time – hours, days, weeks, mo nths @sucuri_security @perezbox #wcoc 53 6/2/2012
  • 54. Support Forums WordPress.org Hacked: http://wordpress.org/tags/hacked Malware: http://wordpress.org/tags/malware BadwareBusters.org https://badwarebusters.org/ @sucuri_security @perezbox #wcoc 54 6/2/2012
  • 55. Things to Know when Engaging Professionals Know who your host is and how to contact them in the event of an emergency Know how to access your server – FTP, SFTP, SSH, FTPS Have a backup accessible Tips: http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i- know-when-engaging-a-web-malware-company.html @sucuri_security @perezbox #wcoc 55 6/2/2012
  • 56. Tips & Tricks After all this you might still become infected, and if you do here are a few tips to keep you going: 1. Immediately Change all credentials – wp- admin, database, cpanel 2. Log into your database and check all the users 3. Replace WP manually – avoid the default updater 4. Defacements – look at your index files (watch out for “.html” and “index2.php”) 5. Use live scanner: http://sitecheck.sucuri.net 6. Use terminal to GREP and FIND issues reported 7. Restore site from clean backup 8. Purge your cache 9. Disable plugins, validate each plugin 10. Engage a professional @sucuri_security @perezbox #wcoc 56 6/2/2012
  • 58. FREE Real Time Virus Scanners Sucuri SiteCheck: http://sitecheck.sucuri.net Unmask Parasites: http://unmaskparasites.com/ @sucuri_security @perezbox #wcoc 58 6/2/2012
  • 59. Blacklisting Authorities Google Chrome, FireFox Search Engine Results Page (SERP) http://www.google.com/webmaster/tools http://www.google.com/safebrowsing/diagnostic?site=[your site] Bing Internet Explorer http://www.bing.com/toolbox/webmaster/ Norton Facebook http://safeweb.norton.com/ AVG Opera http://www.avgthreatlabs.com/sitereports/ @sucuri_security @perezbox #wcoc 59 6/2/2012
  • 60. Useful Plugins Know what you‟re using: Theme-Check Authors: Pross, Otto42 http://wordpress.org/extend/plugins/theme-check/ Plugin-Check Author: Pross http://wordpress.org/extend/plugins/plugin-check/ Protect Against Comment SPAM Akismet Authors: Matt, Ryan, Andy, mdawaffe http://wordpress.org/extend/plugins/akismet/ Still offers free service Backups are your friend: Author: iThemes http://pluginbuddy.com/purchase/backupbuddy/ @sucuri_security @perezbox #wcoc 60 6/2/2012
  • 61. Online Reading http://blog.sucuri.net/2012/04/lockdown-wordpress-a- security-webinar-with-dre-armeda.html http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the- hacker-and-ensure-your-site-is-locked.html http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i- know-when-engaging-a-web-malware-company.html http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/FAQ_My_site_was_hacked http://wpsecure.net/ @sucuri_security @perezbox #wcoc 61 6/2/2012
  • 62. Online Tools http://www.botsvsbrowsers.com/SimulateUserAgent.asp http://www.tareeinternet.com/scripts/base.html http://www.tareeinternet.com/scripts/decrypt.php @sucuri_security @perezbox #wcoc 62 6/2/2012
  • 63. Tony Perez Company: Sucuri Security Company site: http://sucuri.net Company blog: http://blog.sucuri.net Personal blog: http://perezbox.com Twitter: http://twitter.com/perezbox Linkedin: http://linkedin.com/in/perezbox Email: tony@sucuri.net @sucuri_security @perezbox #wcoc 63 6/2/2012

Notas del editor

  1. Good morning everyone.. No no no.. That’s just not going to do.. I said GOOD MORNING FOLKS…Oh yeah, now that’s what I’m talking about… Let’s see if we can’t get the blood flowing up in this room.. When I point to that side I want you to give me a WordPress, when I point to this side I want you to give me a Security… ready here we go… you – WORDPRESS, you – Security, me – YUT, you – WordPress, you – Security, me – YUTOUTSTANDING – little mexican dance… nice to see you guys as excited as me..Oh and if you get tired, please realize I can see all your eye balls.. That includes the white… that’s right… I’m watching you… 
  2. So as you might or might know, my name is Tony Perez – go by @perezboxI’m a Columbian / Cuban with a bad attitude living in a world of Mexicans. I spent a better part of a year and a half doing to combat tours in Iraq in 2002 – 2003 and 2004 – 2005… I now work for a little company focusing on web security, specializing in integrity monitoring and remediation – might have heard of us – Sucuri SecurityI’m a Gun carrying, Harley riding junior martial artist… And finally my life has been engulfed by a little thing called web-malware
  3. Well obviously we are going to talk about some good ole web security…not exciting, but it’s a necessary evil. Its important to understand though that its but one small slice of the information security pie and it’d be impractical to think we can cover it in 50 minute… but hopefully I’m able to give you a much better understanding of the concept and empower you with knowledgeWe’ll take a quick peak at some numbers that I am personally intrigued by as it helps put things into perspective around the web and web malware and specifically their relationship to WordPressThen before we get into hardening tips and real tangible take-aways I want to provide a better understanding of the threat landscape and how and where you fit in that. How’s that sound? Do we need to stretch? Sing?
  4. As we talk about Web Security I want us to keep in mind these three area of interest – Access, Containment, and Knowledge.. These will be the three areas of discussion during the next 40 minutes.
  5. These are some astronomical numbers.. In 2011 there were 300 million websites that came online.. In December of 2011 there were total of 555 million websites running… holy smokes.. In one year we had 300 million websites come online.. I just want that to sink in, before that we were at about 200 million..Over 10.8 BILLION indexed pages.. That’s just an astronomical number to wrap your head around… So how does WordPress fit into the mold…
  6. So as it stands of all the websites out there… its estimated that WordPress owns about 16% of the market – that’s blogs, CMS’s.. Etc… so that is 16% of approximately 555 Million websites..In the US alone 22 out of every 100 websites are WordPress powered.. Here is an interesting fact.. In the CMS domain, WP is dominating the space with something close to 54% market share.. Wow.. Impressive I must admit
  7. In 2011, according to Symantec, they captured about 403 million unique malware variants.. Now to caveat that is malware across desktops, mobile devices, web etc.. Still an astronomical number. This was a 140% growth over 2010In 2011, approximately 55, 294 malicious domains were detected.. That’s a 130% growth from 2010 andAs for web-based atacks, there was an 81% increase__________________________Previous:286 Million – Variants in 201042,926 – malicious web domains in 2010
  8. So what does this mean.. Easy..The web is a very large large place and the platform we all love and use is quickly gaining market share at a very astronomical rate. More important to our discussion is the growth of web-malware and how important it is that its not an after thought, but part of your administration and / or project lifecycles if you’re managing a WordPress instance and / or developing it for a client. It is a problem we must all share responsibility in.
  9. That being said.. Let’s get into some Web Security folks…
  10. You might remember this slide from the beginning.. As we walk through the next few slides I want you to think about these three domains.. Specifically on CONTROLLING and AUTHENTICATING ACCESS, while we all wish that an infection will never affect us, plan and ensure that you reduce your threat profile and minimize the total impact. Lastly, allow yourself to learn such that you are able to put a plan in place to both prevent and remediate, being preapared is the key and you will accomplish this through knowledge.
  11. So malware – by definition designed to disrupt the function of the system… whatever it may be, your mobile device, notebook or website.. In 2011 however, the concept of malnets – or malware networks – began to make a real impact on the web malware domain. Most of you will know and recognize malnets as BOTS.. These are highly complex networks designed to scale according to their needs and last well beyond any one attack… If you look closely at the image hat you’re actually seeing is the top 5 malnets being tracked by BlueCoat and how they scale over time.. Often dependent on what activities are being planned or executed…The network will shrink waiting for a reason to grow.. And as an event arises – say a death of a super start, an election, a holiday, something that warrants an action – it will grow to impact as many people as possible.. This is what a BOT is…
  12. Social Engineering – the art of manipulating users to divulge credentials and other sensitive informationXSS – allows you to inject client-side scripts into the web pagesXSRF – Sesion is hijacked and unathorized commands are executed under an authenticated user
  13. Everyday at least twice a day I get a client ask… Please make this go away for good… and I find myself going into a discussion of the threat landscape… I swear, I literally feel their eyes rolling into the back of their heads on the phone…So I decided to include this slid because it illustrates best what makes up the threat landscape..Is it all encompassing? Absolutely not.. But does it work to bring home the point? Absolutely… The risk can never be 0 and this is why.. Too many variables to account for.
  14. White-Hat’s – those that work at companies like mine, or the Symantecs, Trend’s, Norton’s of the world…Ethical / Grey Hat’s – Obviously between the white’s and black’s.. Not usually out to intentionally harm, often find vulnerabilities and disclose.. Sometimes more appropriately than others.. Script Kiddie’s – kind of a derogatory term in the community for the newbie’s that know enough to be dangerous. As the name implies, they often employ existing scripts used to exploit known vulnerabilitiesHacktivist – by far one of the fastest growing types of attackers – driven by politics, culture, religion – you wake up one day and you’re flying the Syrian flag or pleading for the release of Libyan fighters..Black hat’s – known as crackers – these are the guys intent on taking something good and turning it into some thing bad – highly intelligent, technically sound
  15. Gah.. If I had anickle for every time someone asked us this…What I can say is its not the day of version 1.5, as the product has matured so have the controls that help ensure that at every release a safe product is being released. While not perfect, there is a great team within the core contributors designed to quickly address issues and push patches once identified. So then why do we see so many WordPress sites infected? Well, I think the answer comes down to two things – extensibility and ease of use. It is to the point where the application is so easy to use that almost anyone is able to install, operate and manage an instance. The same applies to the extensibility, by its nature it’s an extensible platform, which is great, but its also its most vulnerable point and often where we see attack vectors introduced. Lastly, the darn thing is popular folks for the reasons I mentioned before… Remember the stats? That popularity brings about a target… I would say that in 80% of the attacks we see, it’s the road of least resistance that has allowed your WordPress instance to be compromised.
  16. Don’t worry, I won’t bore you with the specifics of these but I wanted to quickly show of some of the more recent issues in the past 6 months.. Just to show have valid of an issue this is.. And yes.. TimThumb is still very much a problem today…
  17. You are the webmaster of today! Recognize it, embrace it.Your local environment is as important as your web server. When was the last time you ran a local anti-virus?Did you know that most anti-virus only catch 70 – 80% of infection? Run multiple.
  18. Move out of web directoryUp a directoryBe weary of plugins that hardcode the locationAvailable since 2.6
  19. Caution 600 could break some thingsFTP user and PHP user are not going to be the same – ideal setupsIDEALLY one is the owner of the file and others in the group660 is okThe Lowest Permission that Works!!
  20. Caution this would block wp-signup.php – WP Multisite file